Security researcher Dan Kaminsky performed a scan of 2.5 million of the Internet’s visible DNS servers and found 230,000 servers that could be exploited. Cache poisoning occurs when hackers successfully corrupt the cache of a DNS, populating its memory with directions to malware servers.
The servers in the most danger are those running earlier versions of the Berkeley Internet Name Domain software (BIND). These early versions employ blind forwarding, which is the loophole potential cache poisoners seek.
Kaminsky spoke at this week’s Black Hat Security conference in Las Vegas. “If you are not monitoring your DNS activity, it is time to start,” he said. DNS servers, which resolve URLs like “https://www.xbiz.com" into numerical IP addresses, often are found at the ISP level, so they handle tens of thousands of user requests daily.
Once a DNS server is poisoned by being tricked into “trusting” another server is legitimate, all subsequent requests for a particular URL will be redirected to, perhaps, an adware or malware site. As hackers are often paid for the volume of traffic they redirect, larger and larger DNS servers are targeted.
Kaminsky performed his scan of the Internet’s DNS servers in July and has not pinpointed which of the web’s server clusters are most vulnerable.
